Skip to content

Commit 07959fc

Browse files
devnexendevnexen
committed
Merge branch 'PHP-8.4'
2 parents 60e9fb5 + 351face commit 07959fc

File tree

2 files changed

+39
-3
lines changed

2 files changed

+39
-3
lines changed

ext/curl/interface.c

+6-3
Original file line numberDiff line numberDiff line change
@@ -1896,14 +1896,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
18961896
case CURLOPT_SSLKEYTYPE:
18971897
case CURLOPT_SSL_CIPHER_LIST:
18981898
case CURLOPT_USERAGENT:
1899-
case CURLOPT_USERPWD:
19001899
case CURLOPT_COOKIELIST:
19011900
case CURLOPT_FTP_ALTERNATIVE_TO_USER:
19021901
case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
1903-
case CURLOPT_PASSWORD:
19041902
case CURLOPT_PROXYPASSWORD:
19051903
case CURLOPT_PROXYUSERNAME:
1906-
case CURLOPT_USERNAME:
19071904
case CURLOPT_NOPROXY:
19081905
case CURLOPT_SOCKS5_GSSAPI_SERVICE:
19091906
case CURLOPT_MAIL_FROM:
@@ -1997,6 +1994,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
19971994
case CURLOPT_HSTS:
19981995
#endif
19991996
case CURLOPT_KRBLEVEL:
1997+
// Authorization header would be implictly set
1998+
// with an empty string thus we explictly set the option
1999+
// to null to avoid this unwarranted side effect
2000+
case CURLOPT_USERPWD:
2001+
case CURLOPT_USERNAME:
2002+
case CURLOPT_PASSWORD:
20002003
{
20012004
if (Z_ISNULL_P(zvalue)) {
20022005
error = curl_easy_setopt(ch->cp, option, NULL);

ext/curl/tests/gh18458.phpt

+33
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
--TEST--
2+
GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
3+
--EXTENSIONS--
4+
curl
5+
--SKIPIF--
6+
<?php
7+
include 'skipif-nocaddy.inc';
8+
?>
9+
--FILE--
10+
<?php
11+
12+
$ch = curl_init("https://localhost/userpwd");
13+
curl_setopt($ch, CURLOPT_USERPWD, null);
14+
curl_setopt($ch, CURLOPT_VERBOSE, true);
15+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
16+
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
17+
$response = curl_exec($ch);
18+
var_dump(str_contains($response, "authorization"));
19+
20+
$ch = curl_init("https://localhost/username");
21+
curl_setopt($ch, CURLOPT_USERNAME, null);
22+
curl_setopt($ch, CURLOPT_PASSWORD, null);
23+
curl_setopt($ch, CURLOPT_VERBOSE, true);
24+
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
25+
curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
26+
$response = curl_exec($ch);
27+
var_dump(str_contains($response, "authorization"));
28+
?>
29+
--EXPECTF--
30+
%A
31+
bool(false)
32+
%A
33+
bool(false)

0 commit comments

Comments
 (0)